We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

It’s official: FTC has the authority to police cybersecurity

In a resounding win for the Federal Trade Commission (“FTC”), the Third Circuit unanimously affirmed the FTC’s power to regulate cybersecurity under the unfairness prong of the FTC Act (15 U.S.C. §45).FTC v. Wyndham, Case, No. 14-3514 (3rd Cir. Aug. 24, 2015). While the facts made this case an easy one for the Court to decide, the decision’s impact will be far-reaching.

Background

In 2012, the FTC filed suit against Wyndham Worldwide Corporation and three of its subsidiaries under the FTC Act in relation to three separate data breach incidents in 2008 and 2009 that compromised the personal information of over 619,000 consumers. The FTC accused Wyndham of conduct that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Among other things, the FTC contended that Wyndham failed to use any firewalls, and stored credit card payment information in clear readable text. These actions stood in stark contrast to the company’s privacy policy, which ensured certain standards of protection that Wyndham was not following.

Wyndham moved to dismiss the FTC’s complaint on two grounds: 1) the FTC does not have authority to regulate cyber security, and 2) the FTC did not provide fair notice of the standards by which private parties must abide. The District Court denied the motion to dismiss, and the Third Circuit sided with the FTC on each issue.

Analysis

The Third Circuit determined that the FTC has power to regulate cybersecurity. In adopting the FTC Act, Congress explicitly considered, and then rejected, the opportunity to specify particular “unfair” practices that were subject to the regulation. Because the Act was intended to be flexible, with “evolving content,” the Third Circuit determined that cybersecurity could be regulated by the FTC.

Second, the Court determined that Wyndham had fair notice that its cybersecurity practices were prohibited under the FTC Act. The court explained that fair notice is satisfied “as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” Wyndham argued that it did not treat its customers in an “unfair” manner because it had itself been the victim of cybercriminals. The Court rejected that argument. After all, Wyndham had been the victim of three separate cyber attacks and yet still failed to put up any firewalls or use encryption for certain sensitive information. These facts were particularly egregious, and made it easy for the court to reach this conclusion.

Looking Ahead

The key takeaway of this decision for companies is that they cannot escape the long arm of the Federal Trade Commission. In particular, any company that has experienced a data security breach will be required to take some proactive efforts to avoid future repeats or risk being subject to the unfairness prong of the FTC Act.

Compare jurisdictions: BYOD: Bring Your Own Device

“The Lexology newsfeed is very relevant to my practice and I like that you can tailor the newsfeed to include specific practice areas. I enjoy seeing a variety of approaches and I will read multiple articles on the same topic for the purpose of getting the fullest understanding of a new law, a court case or other legal development.”